Flashback Mac Trojan Shakes Apple Rep of Invulnerability

By Jeffrey Burt |
Posted 2012-04-09

Flashback Mac Trojan Shakes Apple Rep of Invulnerability

The extent of the threat to Apple Mac users from the Flashback Trojan is coming into clearer focus, with security software vendor Kaspersky Lab confirming previous reports that more than 600,000 systems have been infected, making it among the largest cases involving the Apple systems.

The Flashback virus first showed up last year as a classic Trojan, looking like an update to Adobe Flash that, when executed, would infect the system. Flashback returned in March as less of a Trojan and more of a drive-by threat. Rather than relying on users to download the malware onto their Macs, the Flashback exploit infects vulnerable systems when a user visits a compromised Website.

Security experts and analysts have said that the threat to Mac users is high because many of them bought into the idea that their Apple systems are essentially invulnerable to attacks, and thus many have not secured the Macs as well as they could have. Mac users have to understand that their systems are open to threats, according to Forrester analysts David Johnson.

Of course, the Mac is vulnerable, Johnson wrote in an April 6 blog post. Every Internet-connected device is vulnerable.

For Mac users, the real question is how to protect the systems. Johnson questioned whether traditional antivirus software is appropriate for Macs, noting what he called an abysmal track record for such approaches on Windows machines. Such software takes a lot of computer resources when scanning the system, and theyre too reactive. He said that in researching management best practices for Macs, hes talked with a number of people running Macs in highly secure environments.

One thing that has emerged from the dozens of conversations I've had with people who actually manage Macs in both large and small firms every day, is that not one of them has any illusions about the potential risks, Johnson wrote. Even so, only a few were using a traditional anti-virus solution for Macs, preferring instead to have effective patching and system backup/recovery capabilities, and user education programs.

Security firms said they began seeing new variants of the Flashback malware in mid-March, and researchers with a Russian firm, Doctor Web, reported last week that through a sinkholing operationwhere they essentially were able to gain control of command and control (C&C) serversthey were able to determine that more than 600,000 Macs worldwide had been infected, with more than half being in the United States and Canada.

That number initially drew skepticism, but in an April 6 post on Kasperkys SecureList blog, security expert Igor Soumenkov said Kaspersky researchers were able to confirm Doctor Webs numbers. Through a similar sinkholing operation, Kaspersky noted that more than 600,000 unique bots connected to a domain the company had set up, and that the Flashback malware used more than 620,000 external IP address.

Kaspersky wasnt able to say whether all the bots coming into its server were running Mac OS X, but that by using passive operating system fingerprinting techniques, researchers were able to get a rough estimation.

More than 98 percent of incoming network packers were most likely sent from Mac OS X hosts, Soumenkov wrote.

Researchers Said About 1 Percent of Macs Was Affected

Given the millions of Windows PCs that have been infected in the past by such malware as Conficker, the 600,000-plus may seem small, according to researchers at security software vendor Intego. However, with an installed base of between 60 million and 70 million, that means about 1 percent of all Macs worldwide have been compromised, they said in an April 7 blog.

So one in 100 Macs is infected, they wrote. Its clear that we are faced with an unprecedented attack of Mac malware.

Mac users belief of the invulnerability of their systems makes the threat even more serious, according to security experts.

Most Mac users have grown accustomed to the lack of malware reported on Apples devices, many of which do not have any additional layer of protection implemented on their system to protect against possible cyber-attacks either, researchers at security software vendor Bit9 wrote in an April 4 blog.

Apple officials last week issued two patches aimed at addressing the vulnerabilities, which lie more with issues in Oracles Java than in Apples operating system. The problem arises because Mac users can download Java onto their systems. But the problems for Mac usersand others who are using such Apple Internet-connected devices like iPhone and iPadsis that as these products grow in popularity among customers, they also will become more popular to cyber-criminals.

Already there have been numerous attacks on Macs over the past year, such as the Tsunami and Revier/Imuler Trojans, and the Mac Defender fake antivirus program.

"This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats," Mike Geide, senior security research at Zscaler ThreatLabZ, said in an email after the April 3 patch was released. "And the need to follow best security practices, such as remaining current with patches, is ubiquitousit doesn't matter if you're using Windows, Mac or even [a] mobile phone."